Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Paul Lynde to block..." -- a contestant on "Hollywood Squares"

devel / comp.protocols.kerberos / master key type in kdc.conf

SubjectAuthor
o master key type in kdc.confDan Mahoney (Gushi)

1
master key type in kdc.conf

<mailman.0.1633246593.17806.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=151&group=comp.protocols.kerberos#151

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: dan...@prime.gushi.org (Dan Mahoney (Gushi))
Newsgroups: comp.protocols.kerberos
Subject: master key type in kdc.conf
Date: Sun, 3 Oct 2021 00:36:23 -0700 (PDT)
Organization: TNet Consulting
Lines: 29
Message-ID: <mailman.0.1633246593.17806.kerberos@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="28030"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=j+H14Eeq8OgmkTSrYtfPk4VyhsbagaPtTnxkzq87RQsN2IXZybBchQncolHecrWHg4xy8CGXRUwuInhC0578oj73Jb/DVcW4+1ilDhkz/015Vd/kH+nuTzTV6UxvjgVMWg6EDG9urD/kCyIJgFppL3fstZAFE7OmqQ+NmxmEy5Z+BoqlDdwvuRfuHMlcXuq5zgR9MDuLwWKuixUYilin9GRRLRhtr12sNxDgs/qrN/qVGxpchFuA64hWA+W03jCAdvEeGYljXgXVeJCGYfC18I/hrn9g2up1K7Wf/PQV/3qXH8cn5D0lKzU4dQ8EFj90EGIk2FFbFPVZMBy7A+PLig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=jiJeFFb/hQq219nobyhqtQcGmtSlvb/pp9YuBAaQ7Kc=;
b=eap5LEaYdTpQzWRnyYtLFnv5DXl41LRS5a4fpRupdxGBjHnxGPLnbslO75spgL5xtm1w6Ci2oZ/SoM2TTL/qIbRFoyatVNeJO2mu3JaXQZQkYTfMeoNvbm72rMc/QDSdeO1/xAAxfNhnm4Wp6Yaz2Peovgikry7Ta5Knq7SII0CdZzpkJzxxM7jHRwnzSmdADf2Ad0HkIjG0mG4KGlKyFnf09S6bY1An8JziCtkXsqIib/R+E8hffrTHcchTzpsxwRdSJw7ep+OWtuP/9iITWD3loR75zzcH/ItGEhieFH2if1qNaHvgr7/cDn3Jl1xINIuCPru6yfbMfN2slfrz/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=jiJeFFb/hQq219nobyhqtQcGmtSlvb/pp9YuBAaQ7Kc=;
b=Zt/cKb44whZcwPhuHFZDm+bcD3bABMrdU5iz9OD1bf0BlqqPGhnNJPlJTZUcQXxr0oyAO65QvXzkfYn2m2drkw8ZxpPDyrAD+Cw5W40whOQfEe3zN+N8TdLbWxI8NI+WMQGjVxRHKhhuorj/WCrzvMiKyplkp2kI14xBlyTt8U8=
Authentication-Results: spf=pass (sender IP is 149.20.68.142)
smtp.mailfrom=prime.gushi.org; mit.edu;
dkim=pass (signature was verified)
header.d=gushi.org;mit.edu; dmarc=pass action=none
header.from=prime.gushi.org;
Received-SPF: Pass (protection.outlook.com: domain of prime.gushi.org
designates 149.20.68.142 as permitted sender)
receiver=protection.outlook.com; client-ip=149.20.68.142;
helo=prime.gushi.org;
DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 1937aOs8017286
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org;
s=prime2014; t=1633246585;
bh=jiJeFFb/hQq219nobyhqtQcGmtSlvb/pp9YuBAaQ7Kc=;
h=Date:From:To:Subject;
z=Date:=20Sun,=203=20Oct=202021=2000:36:23=20-0700=20(PDT)|From:=20
"Dan=20Mahoney=20(Gushi)"=20<danm@prime.gushi.org>|To:=20kerberos@
mit.edu|Subject:=20master=20key=20type=20in=20kdc.conf;
b=VR2BRNNNYyHxWACq9+ZyFrpCpYULzFO8WSUYi8e2Q6rjOKAHXgSzSwVX2iaKKfkRW
+R3WeyqiR2vSt6KM4fj7JHYpEhzgZlmrmpYaN5cxiv53Jweap939Vs3Vw7g67GCMu8
qAZe8iyf541xcQ40oX+28RFkeMVxKQXoCffg0YFfgWD+5qtFCV+99jAv0PCwfEE0DQ
gCoGdZkoSzRWzlwqiGa4iPaT9LD9dvAQMZBGCeaaaGsy7nmJvx354lWNMBkmQjqMkA
MKUO0nXg86pFqKM11oPQbafGqRBpO4Qn7XdvD1gCXHm8/WvJND3SX9mG0AbK88wHG+
uxltYSCfReO3A==
X-OpenPGP-Key-ID: 0x624BB249
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2
(prime.gushi.org [0.0.0.0]); Sun, 03 Oct 2021 07:36:26 +0000 (UTC)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: dd2c85a1-6285-4bda-f2f8-08d9864082cc
X-MS-TrafficTypeDiagnostic: DM6PR01MB3881:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM6PR01MB38817C0FFCE52E49A145A9A085AD9@DM6PR01MB3881.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Jy/GYVgygteStyYaz760zLeeVlCaT6jPP4wCDWAve9ZBRe6TZojIW/v8bfnDr06wPsMAi8sjRqmzBkwMXGkYe+OL0bganxYx6khKwoJM/VT5AI/wXca9U7itrHlHZlbdxTjdOc3vN0Kh66stUXMNeK/VV0mg3/ZYbufvyU3EmOflMnNs7shJ/TJHG0UdJ/L99dqdeicOUFdU4pB+5tfa0doluSPKmQf7w7jfARcCtpcEyCL2DQhtudc3Ru+n4spyX/AVcm5HHjyyllwiQJX7vt8C7mnHYhIWttvR6IO3zlCTIvdAuNNxQAFiekKnYxQripDLzoj5jOqZYF0I7TYfChxhbJ0Plgifel5HpwQ4a8pmazjIMvJFJH6g7rMwW/T7vNzxvZHU+lWV/Ur8mcVZ8Qmi8bForqWIDt3E0idb57NWPtHI3lSzUOgMpopM6PbLZwpc0nKzGFfBlsROfXrdqcL9W9jhmj0tq5ltFi14VuvoiznI3U4kE43iTVDh+Zr7IDT1IfMLA9pWKoWuG+FsTdKp5twZI6uSLNN5TntXIMmeeFPlsjno2P2p/krk1/jcUALwl9AafesosETgfABBci4dF79aUXiS3lCQfBLHsPDfmpJcybcasLRJqyPArSv0pueU+5eolVXOZrZjk1+JCOI24HmDlDOqz6my29WZ6o6JHbLFymeZubpdhrJWsj+3kv510bAfgTx9ktnVj3VvhwC91AbjyJ+hqIRyZgU+xJhH7vtznyr9Wh7ASyc4quXG
X-Forefront-Antispam-Report: CIP:149.20.68.142; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:prime.gushi.org; PTR:prime.gushi.org;
CAT:NONE;
SFS:(4636009)(7636003)(7596003)(426003)(336012)(356005)(2906002)(508600001)(5660300002)(70586007)(8676002)(966005)(26005)(68406010)(2616005)(45080400002)(86362001)(4744005)(36906005)(83380400001)(42186006)(316002)(786003)(34206002)(58440200007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Oct 2021 07:36:27.7186 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: dd2c85a1-6285-4bda-f2f8-08d9864082cc
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT036.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB3881
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Dan Mahoney (Gushi) - Sun, 3 Oct 2021 07:36 UTC

Hey all,

We're in the process of rolling our mkey to get off 3des, and we found
that someone in the before-times has put this line in our kdc.conf:

master_key_type = des3-hmac-sha1

Obviously, that's not going to be the master key type of the new key, and
of course, I think when this command came out, there was no "use mkey"
format, so this was perhaps a primitive rollover method?

Would things break if I just took this line out? Or would the kdc fail to
start because a K/M of the default enctype isn't present yet?

Does it make sense to remove this line before rollover or after?
(This might be worth a mention in the docs).

-Dan

--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor